RFC 3008 (rfc3008) - Page 1 of 7
Domain Name System Security (DNSSEC) Signing Authority
Alternative Format: Original Text Document
Network Working Group B. Wellington
Request for Comments: 3008 Nominum
Updates: 2535 November 2000
Category: Standards Track
Domain Name System Security (DNSSEC) Signing Authority
Status of this Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2000). All Rights Reserved.
Abstract
This document proposes a revised model of Domain Name System Security
(DNSSEC) Signing Authority. The revised model is designed to clarify
earlier documents and add additional restrictions to simplify the
secure resolution process. Specifically, this affects the
authorization of keys to sign sets of records.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC 2119].
1 - Introduction
This document defines additional restrictions on DNSSEC signatures
(SIG) records relating to their authority to sign associated data.
The intent is to establish a standard policy followed by a secure
resolver; this policy can be augmented by local rules. This builds
upon [RFC 2535], updating section 2.3.6 of that document.
The most significant change is that in a secure zone, zone data is
required to be signed by the zone key.
Familiarity with the DNS system [RFC 1034, RFC 1035] and the DNS
security extensions [RFC 2535] is assumed.
Wellington Standards Track